Method and system for identifying and downloading appropriate software or formware specific to a particular model of set-top box in a cable television system

ABSTRACT

A method and system identify programming code that is appropriate to the architecture and capabilities of a set-top terminal in a cable television system. The appropriate programming code is identified from among a variety of code objects being broadcast from the headend facility of the cable television system. A platform identifier stored in the set-top terminal is matched to a corresponding platform identifier in an entitlement management message or other download locator message that specifies where in the transport stream from the headend a particular code object can be acquired. By acquiring the object corresponding to the message bearing a matching platform identifier, the set-top terminal acquires programming code compatible with its attributes. Additionally, the cable television system can then optimally support a varied population of set-top terminals.

RELATED APPLICATIONS

This application claims priority from a previous U.S. provisional patentapplication entitled “Software and Firmware Initialization and UpgradeManagement System and Method for an Advanced Set-Top Box in a CableTelevision System,” Ser. No. 60/130,328, filed Apr. 21, 1999.

FIELD OF THE INVENTION

The present invention relates to the field of initializing a set-topterminal of a cable television system and upgrading the software orfirmware in the set-top terminal. More particularly, the presentinvention relates to the field of identifying and then downloading aspecific version of a base platform code or other code object over thecable network that is appropriate to the architecture and capabilitiesof set-top terminal performing the download.

BACKGROUND OF THE INVENTION

In a typical cable television system, subscribers are provided with aset-top box or terminal. The set-top terminal is a box of electronicequipment that is used to connect the subscriber's television, andpotentially other electronic equipment, with the cable network. Theset-top box is usually connected to the cable network through a co-axialwall outlet.

The set-top box is essentially a computer that is programmed to processthe signals from the cable network so as to provide the subscriber withthe cable services. These services from the cable television companytypically include access to a number of television channels and,perhaps, an electronic program guide. Additional premium channels mayalso be provided to subscribers at an additional fee. Pay-per-viewevents and video-on-demand may also be provided over the cable network.The set-top box is programmed to provide these and other services to thesubscriber.

However, the services of the cable company need not be limited toproviding television programming. Some cable companies are now offeringinternet access and e-mail over their cable networks at speeds muchfaster than are available over conventional telephone lines. It isanticipated in the future that more and more services will be providedover the cable network, including even basic telephone service.Eventually, each home or office may have a single connection, via thecable network, to all electronic data services.

When a new set-top terminal is added to the cable network, it must beinitialized. To initialize a set-top terminal, the terminal must beprovided with the programming required to allow it to function withinthe specific cable network to which it is connected and to therebyprovide the services for which the subscriber has paid. Additionally, asthe cable network and the services provided evolve, the set-top terminalmust also evolve to be able to provide subscribers with all the servicesof the cable network. This set-top box evolution will primarily involvechanges to the programming, or perhaps a re-initialization, of theset-top box. By upgrading the soft- or firmware of the set-top box, thebox can be made to perform more efficiently or offer new services as thecable network evolves.

In order to initialize new set-top terminals and upgrade the programmingin the existing population of set-top boxes on a cable network, it ispreferable to transmit the necessary programming to the set-top boxesvia the cable network itself. Otherwise, a technician must visit eachsubscriber to install or upgrade the set-top boxes. Such fieldinstallations and upgrades would obviously be at significant expense.The headend is the facility from which the cable network operatorbroadcasts television signals and provides other services over the cablenetwork. Software that is provided to the population of set-topterminals could be broadcast from the headend over the cable network.

However, there are a variety of problems associated with initializingand upgrading set-top terminals by broadcasting programming from theheadend. For example, over time the population of set-top terminals willlikely include different makes and models of set-top terminals withdifferent capacities. The software required to initialize or upgradeeach make and model of set-top terminal may be different. Consequently,there is a need in the art for a method of matching the properprogramming code to the capabilities of the set-top terminal beinginitialized or upgraded. Additionally, there is a need to automate theinitialization process so as to eliminate or decrease the time requiredby a technician to install, upgrade or re-initialize a set-top terminal.

SUMMARY OF THE INVENTION

It is an object of the present invention to meet the above-describedneeds and others. Specifically, it is an object of the present inventionto provide a method and mechanism for matching the proper programmingcode being broadcast over the cable plant to the capabilities of theset-top terminal being initialized or upgraded. Additionally, it is afurther object of the present invention to automate the initializationprocess so as to eliminate or decrease the time required by a technicianto install, upgrade or re-initialize a set-top terminal.

Additional objects, advantages and novel features of the invention willbe set forth in the description which follows or may be learned by thoseskilled in the art through reading these materials or practicing theinvention. The objects and advantages of the invention may be achievedthrough the means recited in the attached claims.

To achieve these stated and other objects, the present invention may beembodied and described as a method of identifying a code object fordownload by a set-top terminal from a data transport stream broadcast tothe set-top terminal over a cable television system where the objectidentified is appropriate to the architecture and capabilities of theset-top terminal. The method is performed by matching a platformidentifier stored in the set-top terminal with a platform identifier ina download locator message that specifies where in the data transportstream a particular code object can be acquired. The platform identifieris specific to the architecture and capabilities of the set-topterminal. Preferably, the download locator message is an entitlementmanagement message.

Prior to comparing the platform identifiers, the method includes tuningthe data transport stream with the set-top terminal based on a table ofcontrol channels carrying data transport streams. After tuning the datatransport stream, the method proceeds by collecting PID 1 packets fromthe data transport stream and extracting from the data of those packetsa table specifying packet identifiers for a group of download locatormessages being transmitted on the data transport stream. With thistable, the method proceeds by successively acquiring each of thedownload locator messages listed in the table and extracting from eachdownload locator message a platform identifier. This continues until adownload locator message is found bearing a platform identifier thatmatches the platform identifier stored in the set-top terminal.

After a match is found, the method proceed by obtaining locator datafrom the download locator message that has the platform identifier thatmatches the platform identifier stored in the set-top terminal. Thelocator data specifies where in the data transport stream a particularcode object can be acquired. That particular code object will beappropriate for and compatible with the set-top terminal as indicated bythe matched platform identifiers. The method then concludes withdownloading to the set-top terminal the particular code object specifiedby the locator data from the download locator message that contains theplatform identifier that matches the platform identifier stored in theset-top terminal.

The particular code object being acquired can be any of severaldifferent classes of objects. For example, the object can be a baseplatform code object, an operating system code object or a residentapplication code object.

The present invention also encompasses the necessary hardware to performthe method described above. For example, the present inventionencompasses a system for of identifying a code object for download by aset-top terminal from a data transport stream broadcast to the set-topterminal over a cable television system where the object identified isappropriate to the architecture and capabilities of the set-topterminal. Such a system would minimally comprise means for obtaining afirst platform identifier in a download locator message that specifieswhere in the data transport stream a particular code object can beacquired; and means for matching the first platform identifier with asecond platform identifier stored in the set-top terminal.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings illustrate the present invention and are apart of the specification. Together with the following description, thedrawings demonstrate and explain the principles of the presentinvention.

FIG. 1 is a block diagram illustrating the three different stages atwhich different programming packages have control of the set-topterminal during the initialization process of the present invention.

FIG. 2 is a flow chart illustrating the steps of the initializationprocess for a set-top terminal according to the present invention.

FIG. 3 is a block diagram of the various memory devices and some codeobjects used in a set-top box according to the present invention.

FIG. 4 is a flow chart illustrated the method of the present inventionfor identifying code objects to be downloaded that are appropriate tothe architecture and capabilities of the downloading set-top terminal.

DETAILED DESCRIPTION OF THE INVENTION

The present invention addresses the problems involved in broadcasting avariety of programming over a cable television system for download bythe population of set-top terminals connected to the network so as toinitialize or upgrade those terminals where different programmingobjects being broadcast are appropriate to different specific classes ofset-top terminals within the terminal population and each downloadingterminal must identify and acquire the programming object or objectsappropriate to its architecture and capabilities. This process includesproviding those code objects to the set-top boxes that are necessary toallow those set-top boxes to function within the cable system or toupgrade the programming resident in different classes of set-top boxesso as to provide the services purchased by subscribers.

Stated in broad principle, the present invention aims to provide aset-top terminal architecture that includes a resident boot code object.As shown in FIG. 3, the boot code object (302) resides in the set-topterminal (300), preferably in read only memory (ROM) (301) and canautomatically execute and initialize or reinitialize the set-topterminal. The boot code will preferably be automatically executed by thecentral processor (321) of the set-top terminal. Execution of the bootcode may be triggered by and immediately follow connection of power tothe set-top terminal. The present invention may additionally requireconnection of the transport stream signal (322) from the cable systembefore execution of the boot code is triggered. Once the boot code isexecuting, no further action by the user/installer need be required.Moreover, no specific interaction is required between the headend andthe set-top terminal that is initializing or booting.

As will be described in detail below, the boot code (302) of the presentinvention will automatically find, download and begin execution of thecorrect software code object or objects needed to initialize the set-topterminal. The boot code (302) will locate, identify and download therequired programming from among potentially many code objects that mightbe multiplexed on the transport stream (322) coming from the headendfacility of the cable television system. The boot code (302) recognizesthe hardware configuration of the set-top terminal (300) in which itresides via an internal ROM coded identifier (320). This identifier(320) is matched against a value carried in an object download locatormessage from the transport stream (322) to insure that the boot code(302) obtains and downloads objects appropriate to the set-top terminal(300) in which the boot code (302) is resident.

Functionally, the boot code of the present invention will identify anappropriate control channel frequency, find the stream of control datapackets within that control channel, identify and download the correctobject from among the objects on the transport stream, verify that thedownloaded code is authorized and error-free, and start the downloadedcode without direct assistance by a technician or intervention from theheadend. The term “boot code” as used herein comprises the minimal codeneeded to accomplish this functionality.

There are essentially two distinct phases of programming a set-top boxaddressed by the present invention. The first is the initial programmingof the set-top box. The second is upgrading the programming orre-initialization of the set-top box after that box has been placed inservice.

The initial programming of the set-top box is often performed by thecable system operator after the set-top box has been purchased from amanufacturer. Because each cable network is designed and built atdifferent times by different service providers, each cable network mayhave a different design and architecture and use different code objects.Additionally, each system will likely have different classes of set-topterminals which were installed at different times and have differentarchitectures and capabilities. Moreover, the specific services offeredmay vary among cable networks.

Therefore, to adapt the set-top boxes to function within the specificenvironment of a service provider's cable system and to provide thespecific group of services currently offered by that particular serviceprovider, each set-top box must be programmed accordingly or“initialized.” Additionally, each terminal should, thereafter, beperiodically re-programmed or upgraded to continue to function optimallywithin the evolving cable television system. Each time the programmingof a set-top terminal is changed, the new code must be appropriate tothe architecture and capabilities of that terminal.

The process of programming or reprogramming a set-top terminal accordingto the present invention will now be explained. In order for a set-topterminal to be initialized, i.e., accept and utilize the initialprogramming it receives, it must have some base programming thatinstructs it how to accept and use that initial programming. This baseprogramming within the context of the present invention is called theboot code. As described above, the boot code is computer code residentin the permanent memory of the set-top terminal that is loaded,preferably into read-only memory, at the factory and cannot be changedonce a terminal has been deployed.

As shown in FIG. 1, there are three general tiers or classifications ofprogramming that run on or have control of the set-top terminal duringdifferent stages in the initialization and operation of the terminalaccording to the present invention. Referring to FIG. 1, the firstclassification of code is the boot code (1). While running the boot code(1), the set-top terminal cannot provide any services to the subscriber.The function (2) of the boot code (1) is to search the data transportstream received from the headend facility to locate, acquire and beginexecution of the base platform code (3) which is the next tier orclassification of programming.

The boot code (1) is designed to authenticate the base platform codeafter the base platform code is downloaded. The boot code (1) willpreferably re-authenticate the base platform code every time it launchesthe base platform object (3). When the base platform code (3) isexecuting, the execution of the boot code (1) is terminated and controlof the set-top terminal passes to the base platform code (3).

The base platform code (3) may be factory loaded. However, under theprinciples of the present invention, the base platform code (3) ispreferably transmitted to the set-top terminal from the cable headendduring the initialization of the terminal. This allows the operator ofthe cable system to customize the base platform code (3) for optimaloperation on the specific cable system where the set-top terminal isdeployed. Preferably, the base platform code (3) is transmitted over thecable plant on an out-of-band (OOB) transport stream. However, it iswithin the scope of the present invention for the base platform code (3)to be transmitted on an in-band control channel.

The base platform code (3) has two functions. The first function of thebase platform code (3) are to provide the basic capability of allowing asubscriber to watch television using the signal from the cabletelevision system. The second function is to control the download (5) ofthe next classification of code objects, i.e., the target operatingsystem (O/S) and resident applications (6). The base platform code (3),while allowing subscribers to watch television, does not generallysupport any additional functions of the set-top terminal. However, thebase platform code (3) can acquire, authenticate, authorize and executeobjects of the third and final classification of programming (e.g., theO/S) (5).

The third classification of programming, the operating system andresident applications (6) provide the additional set-top terminalfunctions available from the cable system. The operating system (O/S) istypically code from a third party (such as Microsoft's WinCE™) thatprovides access, with the resident applications, to all authorizedset-top terminal capabilities. The operating system typically uses anadditional embedded code module provided by the manufacturer of theset-top terminal which interfaces the operating system with theparticular hardware of that set-top terminal to enable the operatingsystem to function with that specific set-top terminal.

Resident applications are computer programs that run on the set-topterminal under the operating system. The resident applications work withthe operating system to provide the capabilities of the set-top terminalthat are in addition to watching television. The native suite is aspecified group of software applications, including the operating systemand perhaps various resident applications, that provide the intendedfunctions of the set-top terminal. Specific elements of the native suiteare determined by the system operator.

As indicated in FIGS. 1 and 3, the boot code (1,302) is preferablyfactory-loaded in the read-only memory (ROM) of the set-top terminal andis executed as soon as AC power is provided to the set-top terminal.Alternatively, the boot code may be executed in response to a resetsignal (4) received, for example, from the headend, i.e., the systemoperator. This allows the system operator to re-initialize the set-topterminal whenever desired.

The reset signal (4) is preferably received by the base-platform code(3) which then terminates execution of the operating system and residentapplications (6), if running, and begins execution of the boot code (1).Alternatively, the reset signal (4) may cause the base platform code (3)to terminate and reload the native suite (6) rather than execute theboot code (1).

As described above, whenever executed, the boot code (1) acquires andloads the base platform code (2). The base platform code may be providedto the set-top terminal over the cable network from the headend or,alternatively, may be factory-loaded along with the boot code. The bootcode (1) will either download the base platform code (3), for example,over an out-of-band channel from the headend or, if the base platformcode was factory-loaded, identify the base platform code (3) in memory.The boot code (1) authenticates the base platform code (3) from whateversource it is obtained and then executes the base platform code (3).

The base platform code (3) then acquires the operating system and,preferably, the other objects of the native suite (6). The operatingsystem and the other objects are downloaded from the headend over thecable network. The base platform code (3) will acquire the operatingsystem and other objects when first executed or, while running, inresponse to an initialization message (4) from the system operator. Theinitialization message (4) maybe provided over the cable network. Theoperating system and resident applications (6) are then executed whenthe native suite is acquired, authorized and authenticated.

FIG. 2 is a flowchart providing a more detailed explanation of theinitialization sequence according to the present invention. As shown inFIG. 2, when the set-top terminal is first powered, or an appropriatereset signal has been received, the boot code is executed (229). Theboot code must first determine whether the set-top box has or mustacquire the base platform code. To determine this, the boot code firstchecks the flash memory for the base platform code, the last knowncarrier (LKC) frequency of the control channel from the headend, and anEntitlement Management Message Provider Identification (“EMM ProviderID”) (201, 202).

If any of three following conditions are discovered, the boot code willconclude that it must acquire the base platform code and will hunt forthe out-of-band channel or the in-band channel from which the baseplatform code can be obtained. The boot code seeks to acquire the baseplatform code if (1) the base platform code, last known carrier and EMMProvider ID are not stored in the Flash memory, (2) the base platformcode in the Flash memory fails an authentication check or (3)non-volatile memory indicates that hunting for the control channel(likely an out-of-band channel) is required.

If the Flash check determines that a base platform code object exists,the boot code proceeds to execute that base platform object afterappropriate authorization and authentication as described below. If boththe base platform and the O/S are loaded in Flash, the boot codeauthorizes and authenticates the base platform and then launches thebase platform and passes control of the set-top terminal thereto. Thebase platform object, in turn, authorizes and authenticates (A&A) theO/S. The authenticated O/S is then run and control passes to the O/S.

If the base platform code is not loaded in Flash memory, the boot codeloads the base platform off of the out-of-band transport stream (203,204, 207). However, before it is written to Flash memory, a successfulauthentication is required (206, 205). When the authenticated baseplatform code is executed, the boot code passes control to the baseplatform (211,228). If the base platform code fails the authenticationcheck (205), the failed base platform code is deleted (208) and acounter is incremented (209) that tracks the number of attempts toacquire and authenticate a base platform code. If the counter is below apredetermined acceptable number of attempts, the base platform code isagain downloaded (207). Alternatively, if the acceptable number ofattempts to download the base platform code is exceeded, the set-topterminal may signal the headend for a service call (210).

Under the principles of the present invention, the boot code locates thebase platform object using a boot code message or“bootcode_control_message” that is sent periodically on the out-of-bandtransport stream (204). Use of the bootcode_control_message will now bedescribed in detail.

When the boot code determines the need to download the base platformobject, it first hunts for the control channel. A table of possiblecarrier frequencies at which the control channel or channels are beingbroadcast is included in the boot code. These frequencies may be bothin-band and out-of-band. The boot code will cause the set-top terminalto tune each of these frequencies in turn until the control channel islocated and a carrier lock is obtained. If no control channel isreceived at a particular frequency for a predetermined period of time,the set-top terminal will tune the next frequency in the table.

The control channel is a stream of data packets that can be received andused by the set-top terminal. In order to broadcast a number ofdifferent objects simultaneously, the headend will divide objects to betransmitted over the control channel into packets. The packets of thevarious objects being transmitted can then be interspersed ortime-multiplexed together so that several objects are all transmittedessentially simultaneously. The packets for each particular object willhave a common packet identifier or “PID.” Thus, a set-top terminal canidentify the packets for the object it is working to acquire. Byacquiring all the packets with a particular PID, the complete object canthen be reassembled by the set-top terminal from the set of packets withthat particular PID.

According to the present invention, a set-top terminal can startanywhere in the progression to acquire an object and wrap around untilall the necessary packets are downloaded. For example, the set-topterminal may load the first packet it receives with a PID X. That packetmay be packet 50 of 100 marked by PID X. The terminal then continues tocollect packets 51 to 100 with PID X, then 1 to 49. With all 100 packetsobtained, the terminal can reassemble the packetized object.

Of particular concern to the present invention it the potential need tobroadcast a number of objects simultaneously to accommodate differenttypes or classes of set-top terminals in the population. Each class ofset-top terminals may need a different version of, for example, the baseplatform code, the O/S or a resident application. Therefore, when theboot code is going to initialize the set-top terminal and must acquirethe base platform code, the boot code must determine where to acquirethe base platform appropriate to the set-top terminal on which it isrunning.

The process for identifying the correct object to download will now bedescribed in detail with reference to FIGS. 3 and 4. As shown in FIG. 3,the processor (321) of the set-top terminal (300) controls a tuner (323)to tune a control channel over which data and programming are beingbroadcast by the headend to the population of set-top terminals.

The set-top box (300) will have a table of carrier frequencies at whichthe headend may be broadcasting a control channel of data andprogramming. As shown in FIG. 4, the method of the present invention maybegin with the set-top terminal tuning the first control channel listedin that table (401). Once the carrier lock is achieved and the controlchannel is being received, the boot code will begin collecting packetsfrom the transport stream on the control channel that are identifiedwith PID 1 (402). PID 1 is dedicated to the conditional access messagein the MPEG standard. The packets of PID 1 will provide the boot coderunning on the set-top terminal with a Conditional Access Table (CAT) ofEMM Provider IDs each of which identifies a PID for a set of packets onthe transport stream that constitute an EMM stream (EntitlementManagement Message) (403, 404).

The boot code will begin with the first EMM Provider ID and beginloading packets from the transport stream that are marked with the EMMPID given by the first EMM Provider ID (405). The EMM PID packets beingacquired will contain a boot code message of the present inventionwhich, in turn, includes a platform identifier. Thus, the EntitlementManagement Message will be extracted from the EMM PID packets acquired(406) and the platform identifier from the EMM will be extracted (407).

As shown in FIG. 3, the boot code (302) which is factory-installed inthe set-top terminal will also include a platform identifier (320) thatis specific to the type, architecture and capabilities of terminal (300)in which the boot code is resident. When running, the boot code willattempt to match the platform identifier provided at the factory withthe platform identifier from the boot code message of the EMM PIDpackets (408, 409).

If no match is found, the boot code will select the next EMM Provider IDin the CAT and check the packets of the EMM PID identified by that EMMProvider ID for a boot code message with a matching platform identifier(410, 405). This continues until the matching platform identifier isfound. It may be possible to search multiple EMM PID's simultaneously toreduce the EMM validation time and the time required to find thematching boot code message.

If all the EMM Provider IDs in the CAT of PID 1 are checked and no matchis found for the platform identifier (410), the boot code will look foranother control channel on another carrier frequency by returning to thetable of carrier frequencies (401). When another frequency with acontrol channel is identified and locked, the boot code will extract PID1 and repeat the process outlined above. This continues until a bootcode message with a platform identifier matching the platform identifierof the boot code is found.

When the boot code finds a boot code message with a matching platformidentifier, the boot code will extract a download PID (DL PID) specifiedby the EMM with the matching platform identifier (411). The download PID(DL PID) is the identifier for the packets that carry the code object,e.g., the base platform code object, that is appropriate for the type ofset-top terminal (300) with the platform identifier (320). The boot codecan then download the base platform code or other code object byacquiring the packets with the DL PID and reassembling the data in thosepackets into the base platform code.

As will be understood by those in the art, the platform identifier (320)of the present invention can be used to check any type of code objectfor is compatibility with the terminal in which the identifier (320) isresident. The invention is not limited to the use of the identifier(320) by the boot code (302) to locate and identify an appropriate baseplatform code. The platform identifier (320) of the present inventioncan be used in the same manner described above, for example, by the baseplatform code to identify and acquire an operating system objectdesigned for the downloading set-top terminal. The platform identifier(320) can also be used to identify other elements of the native suite,i.e., resident applications, that are appropriate for the downloadingset-top terminal.

Additionally, the platform identifier (320) of the present inventionneed not necessarily be incorporated into the boot code (302). Rather,the platform identifier (320) can be stored anywhere within the set-topterminal (300) where it can be accessed by the executing programs thatrequire it to identify appropriate code objects for download.

As shown in FIG. 2, once the base platform code has been downloaded oridentified as already resident in Flash memory, an authentication check(206) is performed to verify that the base platform code has beenaccurately and completely received and has not been altered by anunauthorized party. If the base platform fails the authentication check,it is deleted (208). A load counter may then be checked to determine thenumber of times the set-top terminal has attempted to acquire a validbase platform code (209). If the counter exceeds a predetermined limit,the set-top terminal may signal the headend for a service call or mayindicate the need to request a service call to the subscriber (210). Ifthe load counter is not exceeded, the boot code will revert to theprocess described above and attempt again to download the base platformcode (207).

Alternatively, if the base platform code is authenticated, it is thenlaunched (211). The base platform code will then determine if the nativesuite, including the O/S, is loaded in the Flash memory (214). If it isnot, the base platform code. will seek to download the native suite.

With the base platform code running, the system operator may provide theset-top terminal with a set of “initialization messages” that provide,for example, channel maps, tables and EMM information (219, 212). Thesemessages should be provided before the native suite is loaded. Theinitialization messages may instruct the set-top terminal where toacquire the native suite.

After the native suite has been downloaded, or is found already existingin Flash memory, an authorization check is performed on the native suite(215, 220, 224, 223). The download of the native suite will include anObject Conditional Access Message (OCAM) that is recorded by the set-topterminal. The authentication signature and authorization code for thenative suite object are provided in the OCAM and used to authorize andauthenticate the native suite in the manner described below.

If the authorization check is not successful, the native suite code willbe deleted (225, 217) and the base platform code will again attempt toacquire the native suite (221). If the authorization check issuccessful, the native suite and any resident applications associatedwith it, are loaded and an authentication check is performed (222). Asbefore, if the authentication check fails, the downloaded code will bedeleted (217) and a load counter will be checked (216) to see if anotherattempt to download the code should be made or a service call signaled(213).

Alternatively, if the authentication check (222, 218) is successful, thenative suite and any associated resident applications will be executedbeginning with the O/S (226, 227). The base platform code performs theauthorization and authentication on the O/S code. If the O/S passes theauthorization and authentication. checks, the O/S is executed andcontrol is transferred to the O/S. The BIOS (Basic Input/OutputSoftware) may perform the authorization and authentication of theremainder of the native suite (215, 224, 222).

In summary, various portions of the boot process include an objectauthorization and authentication (A&A) process for newly acquired orlocated objects. The authorization check of the native suite is donewithin the base platform. The authorization of the base platform is, inturn performed by the boot code, which can only authenticate a baseplatform object. When running, the O/S of the native suite performs theauthentication and authorization of subsequently loaded objects. Thesechecks are required so that, given an interruption in power, etc., theauthorization status of the terminal can be verified. If, at any pointan authorization or authentication check fails, the object being checkedis disabled.

Authentication is performed as follows. When a code object is broadcastover the cable network, it is associated with an authorization code andan authentication signature. For the base platform object, theauthorization code is preferably given in an object_id field of the bootcode message. The authentication signature is preferably given in anobject_description field of the boot code message. For other objects,such as the O/S and the native suite, the authorization code andauthentication signature are provided in an OCAM downloaded with theobject.

The authentication signature is computed mathematically using a specificalgorithm with the code object itself as the input for the algorithm.The signature is then re-computed by the set-top terminal using the samealgorithm and the downloaded code as input. If the signature computed bythe set-top terminal matches the one transmitted with the code, the codecan be implemented with confidence that its has been transmittedproperly, without inadvertent or malicious alteration.

The present invention provides for two basic ways to upgrade the basicplatform in a population of set-top terminals once those terminals havebeen placed in full service. These two methods of upgrade are (1) auniversal upgrade of the entire population (i.e., the entire populationtuned to a particular control stream) and (2) a targeted upgrade of asubset or subsets of the population. Both methods may make use of theboot code to perform the upgrade.

A universal upgrade is accomplished by broadcasting an order from theheadend for all set-top terminals on the control stream to delete theirexisting base platform object. The boot code then begins executing,assumes control, and performs the initialization procedure outlinedabove, including replacing the deleted base platform with a baseplatform downloaded over the cable network.

A targeted upgrade applies to a single terminal or a small group ofterminals on a given control channel. Each terminal has a specificsingle-cast address and can, therefore, be addressed by the headend andinstructed to delete the existing base platform code and re-initializewith upgrade code. Alternatively, each terminal has one or moremulti-cast addresses that are shared by other terminals in thepopulation. Four such multi-cast addresses for each terminal arepreferred. With a multi-cast address, the headend can signal a codepurge and re-initialization for a specific class of terminals that sharethat particular multi-cast address.

In a targeted upgrade, the base platform, using standard downloadmessages, sets up download parameters in a start-up database innon-volatile memory (See FIG. 3) and allows the boot code to takecontrol. The boot code then uses the parameters to acquire the upgradedbase platform code, replacing the original base platform code. This isdone while the older version of the base platform code is still spinningat a location indicated by the boot message.

In addition to the examples given above, an upgrade need not disturb thebase platform code. Rather, the upgrade or reset signal, whetheruniversal or targeted, may instruct the set-top terminal(s) to terminateand delete only the operating system (O/S), the entire native suite, orone or more particular resident applications. Control then returns tothe base platform code which will acquire and authenticate a new O/S,entire native suite, or portions of the native suite as necessary. Inthis way, the native suite (or just the O/S) can be upgraded withoutrequiring the base platform code to be reacquired as well.

FIG. 3 illustrates four memory units of a set-top terminal (300)according to the present invention. A read-only memory unit (ROM) (301)contains the boot code (302). A flash memory unit (303) contains thebase platform code (304) and the O/S object (306). Aside from theseobjects, additional flash memory is available (305). Two stack pointers(307, 308) designate absolute locations in the Flash memory (303) forthe base platform code (304, 308) and the O/S (306, 307). It isimportant that these two objects are always located at the same locationin Flash (303).

A non-volatile memory unit (310) preferably has both a managed and anon-managed segment. The base platform code (304) may store parametersand other data in the non-managed portion of the non-volatile memoryunit (310). Finally, a random access memory unit (RAM) (309) isprovided.

Downloaded objects such as the base platform code, the O/S, etc. may bestored in the RAM (309) until authenticated. Once authorization andauthentication are successfully completed, the objects may betransferred from the RAM (309) to the Flash memory unit (303) forlong-term storage.

The preceding description has been presented only to illustrate anddescribe the invention. It is not intended to be exhaustive or to limitthe invention to any precise form disclosed. Many modifications andvariations are possible in light of the above teaching.

The preferred embodiment was chosen and described in order to bestexplain the principles of the invention and its practical application.The preceding description is intended to enable others skilled in theart to best utilize the invention in various embodiments and withvarious modifications as are suited to the particular use contemplated.

What is claimed is:
 1. A method of identifying a code object fordownload by a set-top terminal from a data transport stream broadcast tothe set-top terminal over a cable television system where the objectidentified is appropriate to the architecture and capabilities of theset-top terminal, the method comprising matching a platform identifierstored in said set-top terminal with a second platform identifier in adownload locator message that specifies where in said data transportstream a particular code object can be acquired, wherein said platformidentifier stored in said set-top terminal is specific to saidarchitecture and capabilities of said set-top terminal; wherein saiddownload locator message is added as part of an entitlement managementmessage.
 2. The method of claim 1, further comprising tuning said datatransport stream with said set-top terminal based on a table of controlchannels carrying data transport streams.
 3. The method of claim 1,further comprising collecting PID 1 packets from said data transportstream and extracting therefrom a table specifying packet identifiersfor a plurality of download locator messages being transmitted on saiddata transport stream.
 4. The method of claim 3, further comprisingsuccessively acquiring said plurality of download locator messagesaccording to said table and extracting platform identifiers therefromuntil a download locator message is found bearing a platform identifierthat matches said platform identifier stored in said set-top terminal.5. The method of claim 4, further comprising obtaining locator data fromsaid download locator message having a platform identifier that matchessaid platform identifier stored in said set-top terminal, wherein saidlocator data specifies where in said data transport stream a particularcode object can be acquired.
 6. The method of claim 5, furthercomprising downloading to said set-top terminal said particular codeobject specified by said locator data from said download locator messagehaving a platform identifier that matches said platform identifierstored in said set-top terminal.
 7. The method of claim 1, wherein saidcode object is a base platform code object.
 8. The method of claim 1,wherein said code object is an operating system code object.
 9. Themethod of claim 1, wherein said code object is a resident applicationcode object.
 10. A system for of identifying a code object for downloadby a set-top terminal from a data transport stream broadcast to theset-top terminal over a cable television system where the objectidentified is appropriate to the architecture and capabilities of theset-top terminal, the system comprising: means for obtaining a firstplatform identifier in a download locator message that specifies wherein said data transport stream a particular code object can be acquired;and means for matching said first platform identifier with a secondplatform identifier stored in said set-top terminal, wherein saidplatform identifier is specific to said architecture and capabilities ofsaid set-top terminal; wherein said download locator message is added aspart of an entitlement management message.
 11. The system of claim 10,further comprising means for tuning said data transport stream with saidset-top terminal based on a table of control channels carrying datatransport streams.
 12. The system of claim 10, further comprising: meansfor collecting PID 1 packets from said data transport stream; and meansfor extracting therefrom a table specifying packet identifiers for aplurality of download locator messages being transmitted on said datatransport stream.
 13. The system of claim 12, further comprising meansfor successively acquiring said plurality of download locator messagesaccording to said table and extracting platform identifiers therefromuntil a download locator message is found bearing a first platformidentifier that matches said second platform identifier stored in saidset-top terminal.
 14. The system of claim 13, further comprising meansfor obtaining locator data from said download locator message havingsaid first platform identifier that matches said second platformidentifier stored in said set-top terminal, wherein said locator dataspecifies where in said data transport stream a particular code objectcan be acquired.
 15. The system of claim 14, further comprising meansfor downloading to said set-top terminal said particular code objectspecified by said locator data from said download locator message havingsaid first platform identifier that matches said second platformidentifier stored in said set-top terminal.
 16. The system of claim 10,wherein said code object is a base platform code object.
 17. The systemof claim 10, wherein said code object is an operating system codeobject.
 18. The system of claim 10, wherein said code object is aresident application code object.
 19. A method of initializing a set-topterminal, said method comprising: executing a boot code object with saidset-top terminal; and with said boot code object, acquiring andlaunching a base platform code object on said set-top terminal bymatching a platform identifier stored in said set-top terminal with asecond platform identifier in a download locator message that specifieswhere in a data transport stream said base platform code object can beacquired, wherein said platform identifier stored in said set-topterminal is specific to said architecture and capabilities of saidset-top terminal and wherein said download locator message is added aspart of an entitlement management message; wherein said base platformcode object, when executing, provides said set-top terminal with anability to receive, tune and output television programming from a cabletelevision system.
 20. The method of claim 19, wherein said acquiringsaid base platform code object comprises retrieving said base platformcode object from a memory of said set-top terminal.
 21. The method ofclaim 19, wherein said acquiring said base platform code object furthercomprises downloading said base platform code object from a headend. 22.The method of claim 19, wherein said acquiring and launching said baseplatform code object further comprises authenticating said base platformcode object prior to launching said base platform code object.
 23. Themethod of claim 22, further comprising, if said base platform codeobject fails said authenticating of said base platform code object,deleting said base platform code object; re-acquiring said base platformcode object; and authenticating said re-acquired base platform object.24. The method of claim 23, further comprising counting a number offailed attempts to authenticate a base platform code object.
 25. Themethod of claim 24, further comprising signaling for a service call whensaid number of failed attempts to authenticate a base platform codeobject reaches a pre-determined limit.
 26. The method of claim 19,wherein said acquiring said base platform code object further compriseschecking memory of said set-top terminal for a base platform codeobject, a last known carrier frequency of a control channel and anEntitlement Management Message Provider Identification.
 27. The methodof claim 26, further comprising downloading said base platform codeobject to said set-top terminal if said base platform code object, lastknown carrier frequency of a control channel and Entitlement ManagementMessage Provider Identification are not found in said memory of saidset-top terminal.
 28. The method of claim 19, further comprising, withsaid base platform code object executing on said set-top terminal,acquiring and launching an operating system on said set-top terminal.29. The method of claim 28, wherein said acquiring said operating systemcomprises retrieving said operating system from a memory of said set-topterminal.
 30. The method of claim 28, wherein said acquiring saidoperating system further comprises downloading said operating systemfrom a headend.
 31. The method of claim 28, wherein said acquiring andlaunching said operating system further comprises authenticating andauthorizing said operating system prior to launching said operatingsystem.
 32. The method of claim 31, further comprising, if saidoperating system fails said authenticating and authorizing, deletingsaid operating system; re-acquiring said operating system; andauthenticating and authorizing said re-acquired operating system. 33.The method of claim 32, further comprising counting a number of failedattempts to authenticate and authorize an operating system.
 34. Themethod of claim 33, further comprising signaling for a service call whensaid number of failed attempts reaches a pre-determined limit.